The New York firm told the BBC that the vulnerability had since been fixed.

But a security researcher said he had previously warned the firm about security weaknesses.

Topps declined to say how many people were affected or why the payment card numbers were at risk. In most hack attacks, companies assure users that they do not store such financial data in a form that can be exposed.

'Unforgiveable'

In an email to customers Topps wrote that on 12 October "one or more intruders gained unauthorised access" to its systems.

"[They] may have gained access to names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates and card verification numbers for customers [who made purchases] between approximately 30 July 2016 and 12 October 2016," it added.

It is offering one year's worth of free identify theft protection to those affected.